Merge "Hide AccountLocked exception from end users" into stable/ussuri
This commit is contained in:
commit
2cf2912fd4
|
@ -580,6 +580,8 @@ class CadfNotificationWrapper(object):
|
||||||
taxonomy.OUTCOME_FAILURE,
|
taxonomy.OUTCOME_FAILURE,
|
||||||
target, self.event_type,
|
target, self.event_type,
|
||||||
reason=audit_reason)
|
reason=audit_reason)
|
||||||
|
if isinstance(ex, exception.AccountLocked):
|
||||||
|
raise exception.Unauthorized
|
||||||
raise
|
raise
|
||||||
except Exception:
|
except Exception:
|
||||||
# For authentication failure send a CADF event as well
|
# For authentication failure send a CADF event as well
|
||||||
|
|
|
@ -802,7 +802,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
|
||||||
password = uuid.uuid4().hex
|
password = uuid.uuid4().hex
|
||||||
new_password = uuid.uuid4().hex
|
new_password = uuid.uuid4().hex
|
||||||
expected_responses = [AssertionError, AssertionError, AssertionError,
|
expected_responses = [AssertionError, AssertionError, AssertionError,
|
||||||
exception.AccountLocked]
|
exception.Unauthorized]
|
||||||
user_ref = unit.new_user_ref(domain_id=self.domain_id,
|
user_ref = unit.new_user_ref(domain_id=self.domain_id,
|
||||||
password=password)
|
password=password)
|
||||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||||
|
|
|
@ -576,7 +576,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
||||||
)
|
)
|
||||||
# test locking out user after max failed attempts
|
# test locking out user after max failed attempts
|
||||||
self._fail_auth_repeatedly(self.user['id'])
|
self._fail_auth_repeatedly(self.user['id'])
|
||||||
self.assertRaises(exception.AccountLocked,
|
self.assertRaises(exception.Unauthorized,
|
||||||
PROVIDERS.identity_api.authenticate,
|
PROVIDERS.identity_api.authenticate,
|
||||||
user_id=self.user['id'],
|
user_id=self.user['id'],
|
||||||
password=uuid.uuid4().hex)
|
password=uuid.uuid4().hex)
|
||||||
|
@ -605,7 +605,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
||||||
with self.make_request():
|
with self.make_request():
|
||||||
# lockout user
|
# lockout user
|
||||||
self._fail_auth_repeatedly(self.user['id'])
|
self._fail_auth_repeatedly(self.user['id'])
|
||||||
self.assertRaises(exception.AccountLocked,
|
self.assertRaises(exception.Unauthorized,
|
||||||
PROVIDERS.identity_api.authenticate,
|
PROVIDERS.identity_api.authenticate,
|
||||||
user_id=self.user['id'],
|
user_id=self.user['id'],
|
||||||
password=uuid.uuid4().hex)
|
password=uuid.uuid4().hex)
|
||||||
|
@ -624,7 +624,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
||||||
with self.make_request():
|
with self.make_request():
|
||||||
# lockout user
|
# lockout user
|
||||||
self._fail_auth_repeatedly(self.user['id'])
|
self._fail_auth_repeatedly(self.user['id'])
|
||||||
self.assertRaises(exception.AccountLocked,
|
self.assertRaises(exception.Unauthorized,
|
||||||
PROVIDERS.identity_api.authenticate,
|
PROVIDERS.identity_api.authenticate,
|
||||||
user_id=self.user['id'],
|
user_id=self.user['id'],
|
||||||
password=uuid.uuid4().hex)
|
password=uuid.uuid4().hex)
|
||||||
|
@ -650,7 +650,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
||||||
with self.make_request():
|
with self.make_request():
|
||||||
# lockout user
|
# lockout user
|
||||||
self._fail_auth_repeatedly(self.user['id'])
|
self._fail_auth_repeatedly(self.user['id'])
|
||||||
self.assertRaises(exception.AccountLocked,
|
self.assertRaises(exception.Unauthorized,
|
||||||
PROVIDERS.identity_api.authenticate,
|
PROVIDERS.identity_api.authenticate,
|
||||||
user_id=self.user['id'],
|
user_id=self.user['id'],
|
||||||
password=uuid.uuid4().hex)
|
password=uuid.uuid4().hex)
|
||||||
|
@ -660,7 +660,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
||||||
# repeat failed auth the max times
|
# repeat failed auth the max times
|
||||||
self._fail_auth_repeatedly(self.user['id'])
|
self._fail_auth_repeatedly(self.user['id'])
|
||||||
# test user account is locked
|
# test user account is locked
|
||||||
self.assertRaises(exception.AccountLocked,
|
self.assertRaises(exception.Unauthorized,
|
||||||
PROVIDERS.identity_api.authenticate,
|
PROVIDERS.identity_api.authenticate,
|
||||||
user_id=self.user['id'],
|
user_id=self.user['id'],
|
||||||
password=uuid.uuid4().hex)
|
password=uuid.uuid4().hex)
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
|
||||||
|
Fixed the AccountLocked exception being shown to the end user since
|
||||||
|
it provides some information that could be exploited by a
|
||||||
|
malicious user. The end user will now see Unauthorized instead of
|
||||||
|
AccountLocked, preventing user info oracle exploitation.
|
Loading…
Reference in New Issue